Kiri

1

DIGITAL RESILIENCE

AMCHAM ESTONIA DIGITAL SOCIETY COMMITTEE POSITION PAPER

Intro Digital technologies have the potential to solve some of society’s most difficult challenges, such as climate change and healthcare, and foster the birth, development and growth of new ventures that will create and finance the future of Estonia.

As a Digital Frontrunner, Estonia has a good chance to reap the benefits of digitization, how- ever it requires that Estonia continues to drive an ambitious national agenda on digitization, innova- tion and entrepreneurship. But since Estonia is a small and export driven country, its success largely also depends on the EU’s ability to develop a pos- itive policy agenda that promotes open economy,

free trade, digital innovation and transatlantic re- lations and that avoids protectionism and harmful regulation.

We urge Estonia to continue to use its role as a digital leader and soft power to push for a positive EU agenda following elections this year, including by working closely with partners and like-minded countries. This could be done via initiatives such as the declaration that Prime Minister Kallas signed and initiatives that seek to deepen the positive outlook in a more digital context for example led by Minister Riisalo.

Europe’s Place as a Leader in Technology and Innovation Europe is at a critical juncture. In the early 2000s, the GDP per capita of the US and the EU were on par. However, by 2023, the GDP per capita in the US had doubled that of the EU ($80k vs $40k). The EU has been progressively losing its global competitiveness and falling behind in innovation. Thirty years after its formal establishment, the EU’s Single Market remains largely incomplete. A business in Tallinn still faces significant barriers to offering services in Amsterdam, Vilnius, or Athens. The EU is no longer a fertile ground for innova- tion, technology development, and the growth of world-class companies.

One of the main drivers of the EU’s loss of global competitiveness is the slow adoption of techno- logy and innovation. Europe lags behind in all major technological developments, whether it’s cloud computing, Artificial Intelligence, or quan- tum computing.

First, a mindset shift is needed in Europe. Policy-

makers should view the tech sector as a key partner in achieving its goal of building an Open Strategic Autonomy, and leverage available tech- nology assets (computing power, e-commerce platforms, open-source AI models) to build its own autonomy. This requires a change in pers- pective: from ‘what new technologies need to be regulated in the next five years’ to ‘how can we stimulate/make sure that these new technologies come from Europe and European citizens benefit from it’.

The private sector, particularly tech companies, have made significant investments in data centres, leading to the development of cloud computing, cloud-based AI applications, and edge services, which are crucial for driving innovation in Europe. It’s estimated that US firms alone have invested a substantial USD 597 billion towards ICT infra- structure and cloud solutions in Europe. The relationship between tech companies and the EU is

2

marked by mutual dependencies. Tech companies make long-term investments in the EU because it is a competitive market and offers political stabil- ity. In return, the investments of tech companies can support the EU’s strategic autonomy agenda and help it regain its leadership in innovation and technology.

Secondly, a robust and complete Digital Single Market with truly harmonized regulation is crucial to addressing Europe’s problems and reversing its loss of competitiveness. Companies looking to scale up in Europe often cite a lack of regulatory harmonization and regulatory inefficiency as sig- nificant barriers to growth.

In addition to reforms on regulatory enforcement across the EU and increased investments in R&D to support EU businesses to take risks and inno- vate, we believe it’s necessary for Estonia to stress

the importance of adopting a pro-innovation ap- proach. An example could be embracing AI and adopting an open approach to AI, which would allow Europe to reap the benefits of AI applica- tions.

Europe has all the necessary resources to reclaim its position as a global leader in technology and innovation. The EU is home to some of the world’s best universities, top scientists and engineers, and the world’s most innovative companies, including from Estonia. A mindset shift is necessary to lever- age the EU’s potential and turn it into a force to be reckoned with. It’s crucial that Estonia advocates for a strong framework for innovative reforms, and that the next European Commission acts on it to ensure the EU doesn’t fall behind in the race for innovation.

Artificial Intelligence (AI) AI presents an immense economic opportunity, but we also recognise that the use of AI raises certain concerns. AI is not itself inherently good or bad; the key is developing and deploying it re- sponsibly and ensuring regulation is risk-based and use case specific while allowing for contin- ued innovation and practical application of this transformative technology. The EU approved the first law on how to regulate AI. We support the

Commission’s objective to ensure a proportionate, risk-based approach to AI regulation, and hope this can be a helpful start for a global discussion around AI governance. As we move to intense work on the code of practice with the AI industry, we urge Estonia to advocate for solutions that will benefit European AI providers and will increase the number of national champions in the AI space.

Payment Services Regulation Valued at €240 trillion in Europe in 2021, electronic payments are essential to Europe’s economy. As the legislative framework governing electronic payments, the Payment Services Regulation (PSR) must deliver logical and common-sense rules that make EU citizens’ lives simpler. As part of achieving this, we call to advocate for removing Art. 59 from the text, as it unjustifiably makes in- dustry accountable for fraudsters’ impersonation scams. It also poses privacy challenges for users of both end-to-end encrypted messaging services and SMS, as it is also not technically possible to monitor and remove them for an E2EE messaging service.

A pure shift of liability to the Payment Service Pro-

viders (PSP) for impersonation scams is akin to putting a band aid over a gaping wound: it will not fix the underlying problem long-term. The focus must instead be on raising consumer awareness and detecting criminals through public-private collaboration.

The PSR can play a key role tackling frauds and scams and mitigate the harm suffered by consum- ers when engaging in fraudulent transactions. To make the law effective, policymakers should focus on understanding the role each actor plays along the value chain, from PSPs to platforms and other intermediaries, and identify the actions that each entity is best suited to take to to mitigate these harms.

3

Any liability extension to online including plat- forms or hosts, would run counter to the core principles established by the eCommerce Direc- tive and reinforced in the Digital Services Act, namely that: (1) hosts are not liable for illegal con- tent on their services absent actual knowledge , and (2) the prohibition against requiring hosting services, including platforms and private messag- ing services, to generally monitor their services for illegal content.

All measures should align with the recently adopted Digital Services Act, its intermediary lia- bility principles which provide the relevant liability framework for hosting services, including plat- forms and messaging services, with regard to the

takedown of illegal content in the EU which the PSR should fully complement and not replace.

Instead of undermining the well-balanced frame- work drafted by the European Commission with broad, far-reaching and unjustified liability exten- sions, policymakers should focus on fostering the cooperation between PSPs and other entities that can collaborate to prevent fraud. These measures should include knowledge and information sharing that can help financial institutions build adequate preemptive measures. Similarly, shifting the liabil- ity entirely to the PSP discourages consumers from being diligent themselves. Systems and campaigns should be put in place to help them to better rec- ognise, avoid and report scams.

EU Cloud Security Services The EU Cloud Services Certification for Cyber- security (“EUCS”) has the potential to drive a step-change in baseline European enterprise and public sector cybersecurity for cloud deployments, particularly in light of the increased risks posed to European security in 2022. The EUCS has raised concerns among industry, EU Member States but also EU trading partners (e.g. US, Japan, Australia, Canada), as in its earlier drafts it was discriminat- ing against CSPs based on country of HQ, risking to cut off European businesses and governments from the most secure cloud services and cyber

protections at a time when these institutions continue to be negatively impacted by malware, ransomware and DDOS attacks. We therefore appreciate that the Commission has taken the concerns of industry, Member States and trading partners (like Japan, US) on EUCS seriously and is seeking to move forward with the scheme in a way that does not discriminate against non-EU cloud providers. We encourage Member States to keep engaging in this process and to vote in favor of a solution that would maintain EUCS as a technical cybersecurity scheme open to all providers.

Stimulate Digital Transformation Through Cloud Adoption We recommend that you stimulate digital transfor- mation and growth by increasing cloud adoption by introducing a Cloud First policy, e.g. inspired by the UK, Iceland and the NL, and a strategy based on a flexible multi-cloud strategy and solid foun- dations for portability and interoperability.

Cloud first means that public organizations need to provide a clear explanation if they decide against the option.

We welcome the progress of the cloud bill in Es- tonia clarifying the requirements for the public sector to adopt cloud services. However, as the wording is not encouraging the adoption of cloud services it risks that the Public Sector in Estonia falls behind others in adopting and utilizing cloud services. This in turn will have a negative impact on the security of public services and on innova- tion in general.

4

International Tax Reform The OECD is negotiating a global tax reform with the aim to reallocate taxing rights targeted at the world’s largest companies (Pillar 1) and new standards around global minimum taxation (Pillar 2). We are supportive of the OECD process and we are hopeful that Estonia will continue to support a robust, multilateral framework that doesn’t dis- criminate against products and services, and we hope that harmful targeted taxes such as Digital Services Taxes (DSTs) will no longer be considered at national or European levels. DSTs are problem-

atic in that they narrowly target certain activities and companies and are designed to operate out- side the principled framework of business taxation. They create concerns around tax and legal cer- tainty and the legitimacy of an international tax system that has been built around multilateral coordination. This is the system that underpins all global trade and cross-border investment and the reason why it’s important that Estonia supports the OECD framework.

Estonia’s Cybersecurity Landscape: Capitalizing on Digital Legacy In an age where digital technologies play an in- creasingly significant role in steering the progress of nations, Estonia stands as a beacon of inno- vation and dexterity in the cyber arena. With a proven track record as a digital frontrunner, Es- tonia embodies the epitome of a nation that has seamlessly blended tradition with technology, carving a niche for itself in the global digital land- scape.

Heading deeper into the digital era, Estonia al- ready understands that the decisions made today will shape its digital future. It is imperative that Es- tonia continues leveraging its stature as a digital powerhouse to further amplify its influence and contribute constructively to the EU’s policy frame- work, fostering an environment that nurtures innovation, entrepreneurship, and responsible digitization.

Recommendations:

Legislation and Regulation Advocate for balanced and foresighted regula- tions at the EU level that foster innovation without compromising security and privacy. Estonia should be at the helm, guiding discussions around har- monious legislation that accommodates the rapid advancements in the digital sphere without im- posing undue restrictions. Similarly, on a national level, Estonia should aim to harmonize regulators in the digital sphere.

Cybersecurity Expertise and Innovation Hub Establish Estonia as a hub for cybersecurity re- search and innovation, inviting collaborations with universities, industries, and governments globally. Innovation topics should focus beyond cyber se- curing and defending, it should include space sector, tackling digital divide, data privacy in the

age of AI and sustainable digitalisation. This could pave the way for the development of state-of-the- art cybersecurity solutions, give a further boost to the start-up industry and putting Estonia at the forefront of cyber-technology advancements.

International Collaboration and Diplomacy Utilize Estonia’s standing as a digital leader to fos- ter collaborations and alliances with like-minded nations, focusing on sharing knowledge, and facil- itating dialogues on important issues such as data privacy, cybercrimes, and digital trade policies. Es- tonia should further enhance its leading positions by championing forums and summits that focus on crafting cohesive international cyber policies that promote free trade and digital innovation.

Empowering the next generation of cyber profes- sionals

5

Become the leader in the development of ed- ucational programs and initiatives to nurture a workforce adept in cybersecurity and techno- logical transformation. By fostering a culture of learning and expertise in this field, Estonia can contribute significantly more to the global demand for cyber professionals, enhancing its competitive edge in the international arena.

Developing a Resilient Cyber Infrastructure Estonia should continue its trajectory of building a robust and resilient cyber infrastructure that not only protects its digital assets but also serves as a blueprint for other nations to emulate. Innovation hubs and simulation environment enabled collab- orative initiatives with private sector enterprises could be a pivotal move in this direction, driving innovation and securing digital platforms.

Developing Cyber Crisis Management Centre Developing an Estonian Cyber Crisis Coordina- tion Management Centre could serve as a hub for collaborative crisis management efforts en- compassing various sectors within Estonia and extending to cooperative platforms in the EU and globally. This centre should be mandated to con- duct regular cyber crisis simulation drills, foster public awareness, and facilitate knowledge shar- ing and research development in the field of cyber resilience. Furthermore, the centre should actively collaborate with international partners, promote innovation, and nurture a proactive and resilient cyber ecosystem capable of foreseeing and miti- gating future challenges effectively.

1

DIGITAL RESILIENCE

AMCHAM ESTONIA DIGITAL SOCIETY COMMITTEE POSITION PAPER

Intro Digital technologies have the potential to solve some of society’s most difficult challenges, such as climate change and healthcare, and foster the birth, development and growth of new ventures that will create and finance the future of Estonia.

As a Digital Frontrunner, Estonia has a good chance to reap the benefits of digitization, how- ever it requires that Estonia continues to drive an ambitious national agenda on digitization, innova- tion and entrepreneurship. But since Estonia is a small and export driven country, its success largely also depends on the EU’s ability to develop a pos- itive policy agenda that promotes open economy,

free trade, digital innovation and transatlantic re- lations and that avoids protectionism and harmful regulation.

We urge Estonia to continue to use its role as a digital leader and soft power to push for a positive EU agenda following elections this year, including by working closely with partners and like-minded countries. This could be done via initiatives such as the declaration that Prime Minister Kallas signed and initiatives that seek to deepen the positive outlook in a more digital context for example led by Minister Riisalo.

Europe’s Place as a Leader in Technology and Innovation Europe is at a critical juncture. In the early 2000s, the GDP per capita of the US and the EU were on par. However, by 2023, the GDP per capita in the US had doubled that of the EU ($80k vs $40k). The EU has been progressively losing its global competitiveness and falling behind in innovation. Thirty years after its formal establishment, the EU’s Single Market remains largely incomplete. A business in Tallinn still faces significant barriers to offering services in Amsterdam, Vilnius, or Athens. The EU is no longer a fertile ground for innova- tion, technology development, and the growth of world-class companies.

One of the main drivers of the EU’s loss of global competitiveness is the slow adoption of techno- logy and innovation. Europe lags behind in all major technological developments, whether it’s cloud computing, Artificial Intelligence, or quan- tum computing.

First, a mindset shift is needed in Europe. Policy-

makers should view the tech sector as a key partner in achieving its goal of building an Open Strategic Autonomy, and leverage available tech- nology assets (computing power, e-commerce platforms, open-source AI models) to build its own autonomy. This requires a change in pers- pective: from ‘what new technologies need to be regulated in the next five years’ to ‘how can we stimulate/make sure that these new technologies come from Europe and European citizens benefit from it’.

The private sector, particularly tech companies, have made significant investments in data centres, leading to the development of cloud computing, cloud-based AI applications, and edge services, which are crucial for driving innovation in Europe. It’s estimated that US firms alone have invested a substantial USD 597 billion towards ICT infra- structure and cloud solutions in Europe. The relationship between tech companies and the EU is

2

marked by mutual dependencies. Tech companies make long-term investments in the EU because it is a competitive market and offers political stabil- ity. In return, the investments of tech companies can support the EU’s strategic autonomy agenda and help it regain its leadership in innovation and technology.

Secondly, a robust and complete Digital Single Market with truly harmonized regulation is crucial to addressing Europe’s problems and reversing its loss of competitiveness. Companies looking to scale up in Europe often cite a lack of regulatory harmonization and regulatory inefficiency as sig- nificant barriers to growth.

In addition to reforms on regulatory enforcement across the EU and increased investments in R&D to support EU businesses to take risks and inno- vate, we believe it’s necessary for Estonia to stress

the importance of adopting a pro-innovation ap- proach. An example could be embracing AI and adopting an open approach to AI, which would allow Europe to reap the benefits of AI applica- tions.

Europe has all the necessary resources to reclaim its position as a global leader in technology and innovation. The EU is home to some of the world’s best universities, top scientists and engineers, and the world’s most innovative companies, including from Estonia. A mindset shift is necessary to lever- age the EU’s potential and turn it into a force to be reckoned with. It’s crucial that Estonia advocates for a strong framework for innovative reforms, and that the next European Commission acts on it to ensure the EU doesn’t fall behind in the race for innovation.

Artificial Intelligence (AI) AI presents an immense economic opportunity, but we also recognise that the use of AI raises certain concerns. AI is not itself inherently good or bad; the key is developing and deploying it re- sponsibly and ensuring regulation is risk-based and use case specific while allowing for contin- ued innovation and practical application of this transformative technology. The EU approved the first law on how to regulate AI. We support the

Commission’s objective to ensure a proportionate, risk-based approach to AI regulation, and hope this can be a helpful start for a global discussion around AI governance. As we move to intense work on the code of practice with the AI industry, we urge Estonia to advocate for solutions that will benefit European AI providers and will increase the number of national champions in the AI space.

Payment Services Regulation Valued at €240 trillion in Europe in 2021, electronic payments are essential to Europe’s economy. As the legislative framework governing electronic payments, the Payment Services Regulation (PSR) must deliver logical and common-sense rules that make EU citizens’ lives simpler. As part of achieving this, we call to advocate for removing Art. 59 from the text, as it unjustifiably makes in- dustry accountable for fraudsters’ impersonation scams. It also poses privacy challenges for users of both end-to-end encrypted messaging services and SMS, as it is also not technically possible to monitor and remove them for an E2EE messaging service.

A pure shift of liability to the Payment Service Pro-

viders (PSP) for impersonation scams is akin to putting a band aid over a gaping wound: it will not fix the underlying problem long-term. The focus must instead be on raising consumer awareness and detecting criminals through public-private collaboration.

The PSR can play a key role tackling frauds and scams and mitigate the harm suffered by consum- ers when engaging in fraudulent transactions. To make the law effective, policymakers should focus on understanding the role each actor plays along the value chain, from PSPs to platforms and other intermediaries, and identify the actions that each entity is best suited to take to to mitigate these harms.

3

Any liability extension to online including plat- forms or hosts, would run counter to the core principles established by the eCommerce Direc- tive and reinforced in the Digital Services Act, namely that: (1) hosts are not liable for illegal con- tent on their services absent actual knowledge , and (2) the prohibition against requiring hosting services, including platforms and private messag- ing services, to generally monitor their services for illegal content.

All measures should align with the recently adopted Digital Services Act, its intermediary lia- bility principles which provide the relevant liability framework for hosting services, including plat- forms and messaging services, with regard to the

takedown of illegal content in the EU which the PSR should fully complement and not replace.

Instead of undermining the well-balanced frame- work drafted by the European Commission with broad, far-reaching and unjustified liability exten- sions, policymakers should focus on fostering the cooperation between PSPs and other entities that can collaborate to prevent fraud. These measures should include knowledge and information sharing that can help financial institutions build adequate preemptive measures. Similarly, shifting the liabil- ity entirely to the PSP discourages consumers from being diligent themselves. Systems and campaigns should be put in place to help them to better rec- ognise, avoid and report scams.

EU Cloud Security Services The EU Cloud Services Certification for Cyber- security (“EUCS”) has the potential to drive a step-change in baseline European enterprise and public sector cybersecurity for cloud deployments, particularly in light of the increased risks posed to European security in 2022. The EUCS has raised concerns among industry, EU Member States but also EU trading partners (e.g. US, Japan, Australia, Canada), as in its earlier drafts it was discriminat- ing against CSPs based on country of HQ, risking to cut off European businesses and governments from the most secure cloud services and cyber

protections at a time when these institutions continue to be negatively impacted by malware, ransomware and DDOS attacks. We therefore appreciate that the Commission has taken the concerns of industry, Member States and trading partners (like Japan, US) on EUCS seriously and is seeking to move forward with the scheme in a way that does not discriminate against non-EU cloud providers. We encourage Member States to keep engaging in this process and to vote in favor of a solution that would maintain EUCS as a technical cybersecurity scheme open to all providers.

Stimulate Digital Transformation Through Cloud Adoption We recommend that you stimulate digital transfor- mation and growth by increasing cloud adoption by introducing a Cloud First policy, e.g. inspired by the UK, Iceland and the NL, and a strategy based on a flexible multi-cloud strategy and solid foun- dations for portability and interoperability.

Cloud first means that public organizations need to provide a clear explanation if they decide against the option.

We welcome the progress of the cloud bill in Es- tonia clarifying the requirements for the public sector to adopt cloud services. However, as the wording is not encouraging the adoption of cloud services it risks that the Public Sector in Estonia falls behind others in adopting and utilizing cloud services. This in turn will have a negative impact on the security of public services and on innova- tion in general.

4

International Tax Reform The OECD is negotiating a global tax reform with the aim to reallocate taxing rights targeted at the world’s largest companies (Pillar 1) and new standards around global minimum taxation (Pillar 2). We are supportive of the OECD process and we are hopeful that Estonia will continue to support a robust, multilateral framework that doesn’t dis- criminate against products and services, and we hope that harmful targeted taxes such as Digital Services Taxes (DSTs) will no longer be considered at national or European levels. DSTs are problem-

atic in that they narrowly target certain activities and companies and are designed to operate out- side the principled framework of business taxation. They create concerns around tax and legal cer- tainty and the legitimacy of an international tax system that has been built around multilateral coordination. This is the system that underpins all global trade and cross-border investment and the reason why it’s important that Estonia supports the OECD framework.

Estonia’s Cybersecurity Landscape: Capitalizing on Digital Legacy In an age where digital technologies play an in- creasingly significant role in steering the progress of nations, Estonia stands as a beacon of inno- vation and dexterity in the cyber arena. With a proven track record as a digital frontrunner, Es- tonia embodies the epitome of a nation that has seamlessly blended tradition with technology, carving a niche for itself in the global digital land- scape.

Heading deeper into the digital era, Estonia al- ready understands that the decisions made today will shape its digital future. It is imperative that Es- tonia continues leveraging its stature as a digital powerhouse to further amplify its influence and contribute constructively to the EU’s policy frame- work, fostering an environment that nurtures innovation, entrepreneurship, and responsible digitization.

Recommendations:

Legislation and Regulation Advocate for balanced and foresighted regula- tions at the EU level that foster innovation without compromising security and privacy. Estonia should be at the helm, guiding discussions around har- monious legislation that accommodates the rapid advancements in the digital sphere without im- posing undue restrictions. Similarly, on a national level, Estonia should aim to harmonize regulators in the digital sphere.

Cybersecurity Expertise and Innovation Hub Establish Estonia as a hub for cybersecurity re- search and innovation, inviting collaborations with universities, industries, and governments globally. Innovation topics should focus beyond cyber se- curing and defending, it should include space sector, tackling digital divide, data privacy in the

age of AI and sustainable digitalisation. This could pave the way for the development of state-of-the- art cybersecurity solutions, give a further boost to the start-up industry and putting Estonia at the forefront of cyber-technology advancements.

International Collaboration and Diplomacy Utilize Estonia’s standing as a digital leader to fos- ter collaborations and alliances with like-minded nations, focusing on sharing knowledge, and facil- itating dialogues on important issues such as data privacy, cybercrimes, and digital trade policies. Es- tonia should further enhance its leading positions by championing forums and summits that focus on crafting cohesive international cyber policies that promote free trade and digital innovation.

Empowering the next generation of cyber profes- sionals

5

Become the leader in the development of ed- ucational programs and initiatives to nurture a workforce adept in cybersecurity and techno- logical transformation. By fostering a culture of learning and expertise in this field, Estonia can contribute significantly more to the global demand for cyber professionals, enhancing its competitive edge in the international arena.

Developing a Resilient Cyber Infrastructure Estonia should continue its trajectory of building a robust and resilient cyber infrastructure that not only protects its digital assets but also serves as a blueprint for other nations to emulate. Innovation hubs and simulation environment enabled collab- orative initiatives with private sector enterprises could be a pivotal move in this direction, driving innovation and securing digital platforms.

Developing Cyber Crisis Management Centre Developing an Estonian Cyber Crisis Coordina- tion Management Centre could serve as a hub for collaborative crisis management efforts en- compassing various sectors within Estonia and extending to cooperative platforms in the EU and globally. This centre should be mandated to con- duct regular cyber crisis simulation drills, foster public awareness, and facilitate knowledge shar- ing and research development in the field of cyber resilience. Furthermore, the centre should actively collaborate with international partners, promote innovation, and nurture a proactive and resilient cyber ecosystem capable of foreseeing and miti- gating future challenges effectively.